The Tinder Swindler in the Workplace
I am a fan of the “fraudster” documentary genre. The Tinder Swindler was one of the more interesting ones I’ve seen, ticking every box on the checklist for viral streaming success:
A charismatic con artist who stops at nothing to con people out of their money
A far-fetched lure by the con artist that makes the viewer think “I would never fall for that”
A likeable, innocent dupe
A dramatic ending in which the con artist is exposed
I watched the documentary shortly after its release (thanks, algorithm!) and marveled at the audacity of the swindler. But it wasn’t until I read this recent TechCrunch article by Devin Coldewey that I understood that there are job applicants who are just as audacious and looking to swindle unwitting employers.
It takes more than just an exaggerated résumé to fool employers these days. These swindlers have gone high-tech.
1. “Deepfaking” interviews
As discussed in Coldewey’s article, the FBI issued a warning to employers in late June about the use of “deepfakes” to apply for remote job openings, “includ[ing] a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.” In short, the applicant behind the image or voice is not who they claim or appear to be.
Some viral deepfakes may give us a laugh, but they can be costly and dangerous if an employer is fooled by them. Proper employee verification is a critical part of protecting the business, its clients, and its employees.
Given the challenges some employers face in finding quality, local job applicants and the rise of remote work, online interviews are now commonplace. With that growing trend arises the possibility of deepfake interviews and employers hiring applicants whose only intent is to cause harm to the company, including through data theft. Stolen data can be sold to or shared with competitors or foreign governments, or simply posted online to expose and embarrass the company.
2. Faking credentials and using stolen identity
Identity fraud in the workplace is nothing new. Anyone who watched Mad Men remembers the lengths to which Don Draper went to hide his real identity from his colleagues at Sterling Cooper.
Pre-COVID, I saw examples of employees who provided doctored diplomas or fake certifications. Luckily in those instances, a thorough HR rep or background check company discovered them. But the increasing sophistication of editing software means employers should be on guard for fake documents more than ever.
In 2021, many employers enacted vaccination policies and required proof of vaccination from employees. CBC reported a trend of online sellers “offering fake proof-of-vaccination cards or QR codes…for $200” and even uploading that information to provincial systems to ensure validation.
Passing fake documents is, in most cases, cause for termination, and may be a criminal offence. But what if employers hire uncertified employees and send them out into the field before the issue is caught? Horror stories do happen. This is particularly problematic if the employer sends employees to highly-regulated client worksites or to work with vulnerable clients, including hospital patients.
3. Spoofing IP addresses
Following the massive shift to remote work in March 2020, employers tightened their cybersecurity protocols. Among the critical changes was the restriction of international IP addresses from accessing company portals. While HR’s goal in this change was to prevent employees from travelling abroad and working remotely without permission, this change had the (arguably more important) effect of preventing hackers from accessing company information.
Outside of the workplace, people often spoof their IP addresses to access streaming platforms for free. That same spoofing technique can be used to fool cybersecurity restrictions so that employees (and potential employees) appear to be working within Canada even though they are overseas.
Anecdotally, I have heard of several instances of recent hires who used this spoofing technique to get hired by Canadian companies while abroad (and so were not eligible applicants). Even if the employer terminates the employee’s employment immediately after the issue is discovered, there are tax and data security issues that arose on their first day of work, which trigger expensive tax and regulatory liability and embarrassing third party reporting obligations.
What are the risks of hiring a fraudster and how can an employer protect itself?
Hiring a fraudster can lead to stolen proprietary and personal information, regulatory fines and punishment, and reputational harm, in addition to other industry- and company-specific concerns.
Minimizing the likelihood of hiring a fraudster is all about process. My colleague, Cindy Ingram, wrote recently about the technification of the workplace and spoke to some of the ways that employers need to modernize to protect themselves.
After reviewing the FBI’s recent warning, I also recommend:
Enact a preventative, team-based approach to the application process: Applicant fraud is not just a legal/HR issue. There should be a balanced process with input from IT, compliance, and independent cybersecurity consultants about how to deter and detect deception by job applicants.
Don’t skip background checks entirely: Relying heavily on outside reference checks is problematic, but it is appropriate to use some third-party authentication. I see many employers that now waive the background checks or allow applicants to complete the checks post-start date to secure a quick hire. I encourage employers to hire a professional to complete specific background checks before the start date. The employer should be thoughtful about what types of checks are necessary and what checks may unnecessarily impact marginalized employees (without materially improving the authentication process).[i
Limit and monitor access to personally identifiable information (PII) and trade secrets: In the FBI’s recent warning, it cited examples of deepfake applicants who sought positions specifically with “access to customer PII, financial data, corporate IT databases and/or proprietary information.” The risk to the employers in hiring those applicants was significant, as was the reward to the deepfakers. They are not applying for the fun of it: their intention is to get hired, get access to key information, and get out. Restricting and examining employees’ access to PII and other “secret sauce” information can help to prevent (or at worst, minimize) the potential damage by a fraudulent employee, as we discussed in a previous blog regarding a massive employer privacy breach.
Employers should not rely on the “I would never fall for that” assumption when it comes to their vetting processes. Tech-savvy fraudsters have an easier time than ever slipping through the cracks and have a lot to gain if they do so successfully. Improved, informed screening techniques can keep employers one step ahead o
***
[i] See Maye Kunu’s article “The Case Against Reference Checks“ in Early Magazine